Paul J. Hart’s research while affiliated with Florida Atlantic University and other places

National adoption of Electronic Health Records (EHRs) is considered an essential component of the health care system overhaul sought by policy makers and health care professionals, in both U.S. and Europe, to cut costs and increase benefits. And yet, along with the technological aspects, the human factor consistently proves to be a critical component to diffusion of any IT system, and is even more so regarding health care. The highly personal and sensitive nature of health care data and the associated concerns about privacy impede even the most efficient and technologically perfect system. Our objective is to investigate individuals’ attitudes towards EHR and what factors form these attitudes. If we understand individuals’ attitudes regarding EHR and the factors that influence them, we will be in a better position to take responsive measure to facilitate Privacy by Design for EHRs. A positivist research model is empirically tested using survey data from U.S. and Italy and structural equation modeling techniques. We find that perceived effectiveness of regulatory mechanisms positively impact trust; perceived effectiveness of technological mechanisms positively impacts perceived privacy control and trust; the latter two help reduce privacy concerns which, along with perceived benefits, convenience, and Internet experience, play the privacy calculus-type formation of attitudes towards EHR.

Privacy is one of the few concepts that has been studied across many disciplines, but is still difficult to grasp. The current understanding of privacy is largely fragmented and discipline-dependent. This study develops and tests a framework of information privacy and its correlates, the latter often being confused with or built into definitions of information privacy per se. Our framework development was based on the privacy theories of Westin and Altman, the economic view of the privacy calculus, and the identity management framework of Zwick and Dholakia. The dependent variable of the model is perceived information privacy. The particularly relevant correlates to information privacy are anonymity, secrecy, confidentiality, and control. We posit that the first three are tactics for information control; perceived information control and perceived risk are salient determinants of perceived information privacy; and perceived risk is a function of perceived benefits of information disclosure, information sensitivity, importance of information transparency, and regulatory expectations. The research model was empirically tested and validated in the Web 2.0 context, using a survey of Web 2.0 users. Our study enhances the theoretical understanding of information privacy and is useful for privacy advocates, and legal, management information systems, marketing, and social science scholars.

We develop an individual behavioral model that integrates the role of top management and organizational culture into the theory of planned behavior in an attempt to better understand how top management can influence security compliance behavior of employees. Using survey data and structural equation modeling, we test hypotheses on the relationships among top management participation, organizational culture, and key determinants of employee compliance with information security policies. We find that top management participation in information security initiatives has significant direct and indirect influences on employees’ attitudes towards, subjective norm of, and perceived behavioral control over compliance with information security policies. We also find that the top management participation strongly influences organizational culture which in turn impacts employees’ attitudes towards and perceived behavioral control over compliance with information security policies. Furthermore, we find that the effects of top management participation and organizational culture on employee behavioral intentions are fully mediated by employee cognitive beliefs about compliance with information security policies. Our findings extend information security research literature by showing how top management can play a proactive role in shaping employee compliance behavior in addition to the deterrence oriented remedies advocated in the extant literature. Our findings also refine the theories about the role of organizational culture in shaping employee compliance behavior. Significant theoretical and practical implications of these findings are discussed.

Organizational information practices can result in a variety of privacy problems that can increase consumers' concerns for information privacy. To explore the link between individuals and organizations regarding privacy, we study how institutional privacy assurances such as privacy policies and industry self-regulation can contribute to reducing individual privacy concerns. Drawing on Communication Privacy Management (CPM) theory, we develop a research model suggesting that an individual's privacy concerns form through a cognitive process involving perceived privacy risk, privacy control, and his or her disposition to value privacy. Furthermore, individuals' perceptions of institutional privacy assurances -- namely, perceived effectiveness of privacy policies and perceived effectiveness of industry privacy self-regulation -- are posited to affect the riskcontrol assessment from information disclosure, thus, being an essential component of privacy concerns. We empirically tested the research model through a survey that was administered to 823 users of four different types of websites: 1) electronic commerce sites, 2) social networking sites, 3) financial sites, and 4) healthcare sites. The results provide support for the majority of the hypothesized relationships. The study reported here is novel to the extent that existing empirical research has not explored the link between individuals' privacy perceptions and institutional privacy assurances. We discuss implications for theory and practice and provide suggestions for future research.

The study examines differences in individual’s privacy concerns and beliefs about government surveillance in Italy and the United States. By incorporating aspects of multiple cultural theories, we argue that for both countries, the user’s decision to conduct e-commerce transactions on the Internet is influenced by privacy concerns, perceived need for government surveillance that would secure the Internet environment from fraud, crime and terrorism, and balancing concerns about government intrusion. An empirical model was tested using LISREL structural equation modeling and multigroup analysis. The results support the hypotheses with regard to direction and relative magnitude of the relationships. Italians exhibit lower Internet privacy concerns than individuals in the U.S., lower perceived need for government surveillance, and higher concerns about government intrusion. The relationships among the model constructs are also different across the two countries. Implications of the findings and directions for future work are discussed.

This U.S.-based research attempts to understand the relationships between users’ perceptions about Internet privacy concerns, the need for government surveillance, government intrusion concerns, and the willingness to disclose personal information required to complete online transactions. We test a theoretical model based on a privacy calculus framework and Asymmetric Information Theory using data collected from 422 respondents. Using LISREL, we found that privacy concerns have an important influence on the willingness to disclose personal information required to transact online. The perceived need for government surveillance was negatively related to privacy concerns and positively related to willingness to disclose personal information. On the other hand, concerns about government intrusion were positively related to privacy concerns. The theoretical framework of our study can be applied across other countries.

Although service-level agreements (SLAs) are important for IT outsourcing management, appropriate mechanisms for constructing effective SLAs are still poorly understood, leading to inadequate or overcomplicated contracts that are ineffective. This study examines the associations among three distinct sets of SLA characteristics and outsourcing success, as well as the role of commitment in these relationships. Analyzing survey data based on a model theorizing the alignment of SLA characteristics with intended outsourcing objectives, we find that different types of benefits attained through IT outsourcing arrangements are associated with the use of specific contractual dimensions. We also find that commitment, in general, moderates the impact of SLAs on outsourcing success, although the nature of the moderation varies with the different benefits IT outsourcing engagement is intended to achieve. Interestingly, in certain cases—change characteristics for achieving technology benefits, in particular—commitment can be a barrier to the effective use of SLAs in achieving intended outsourcing benefits. As such, our study extends the literature on IT outsourcing, contracting and commitment, as well as provides a general guideline for practitioners to structure effective SLAs and to properly use commitment for managing IT outsourcing engagements to successfully achieve intended benefits.

Numerous public opinion polls reveal that individuals are quite concerned about threats to their information privacy. However, the current understanding of privacy that emerges is fragmented and usually discipline-dependent. A systematic understanding of individuals’ privacy concerns is of increasing importance as information technologies increasingly expand the ability for organizations to store, process, and exploit personal data. Drawing on information boundary theory, we developed an integrative model suggesting that privacy concerns form because of an individual’s disposition to privacy or situational cues that enable one person to assess the consequences of information disclosure. Furthermore, a cognitive process, comprising perceived privacy risk, privacy control and privacy intrusion is proposed to shape an individual’s privacy concerns toward a specific Web site’s privacy practices. We empirically tested the research model through a survey (n=823) that was administered to users of four different types of web sites: 1) electronic commerce sites, 2) social networking sites, 3) financial sites, and 4) healthcare sites. The study reported here is novel to the extent that existing empirical research has not examined this complex set of privacy issues. Implications for theory and practice are discussed, and suggestions for future research along the directions of this study are provided.

This research is an attempt to better understand how external and internal organizational influences shape organizational actions for improving information systems security. A case study of a multi-national company is presented and then analyzed from the perspective of neo-institutional theory. The analysis indicates that coercive, normative, and mimetic isomorphic processes were evident, although it was difficult to distinguish normative from mimetic influences. Two internal forces related to work practices were identified representing resistance to initiatives to improve security: the institutionalization of work mobility and the institutionalization of efficiency outcomes expected with the adoption of company initiatives, especially those involving information technology. The interweaving of top–down and bottom–up influences resulted in an effort to reinforce, and perhaps reinstitutionalize the systems component of information security. The success of this effort appeared to hinge on top management championing information system security initiatives and propagating an awareness of the importance of information security among employees at all levels of the company. The case shows that while regulatory forces, such as the Sarbanes-Oxley Act, are powerful drivers for change, other institutional influences play significant roles in shaping the synthesis of organizational change.